> Hi Marco,
Hi,
> Thanks for the quick and detailed reply. However if I understand you
> rightly, these access permissions go into the slapd.conf. Is there
> any way of mainatining these permissions within the LDAP database
> itself?
by this methods you have to set slapd.conf only one time, then you can
control access editing entries directly.
With method using "groupsOfNames", every time you add a entry called
"cn=RWusers, ..." under a subtree and put a DN in a "member" attribute
value of this entry, this DN can read and write every object under the subtree.
Ex:
SLAPD.CONF:
access to dn="(.*),ou=(.*),dc=abcd,dc=com"
by self write
by group="cn=RWusers,$2,dc=abcd,dc=com" write
by group="cn=ROusers,$2,dc=abcd,dc=com" read
LDIF:
dn: cn=RWusers,ou=virtualDomain,dc=abcd,dc=com
cn: RWusers
ou: ou=virtualDomain
member: cn=userA,ou=adomain,,dc=abcd,dc=com
member: cn=userC,ou=anotherdomain,,dc=abcd,dc=com
... other stuff ...
every user that bind with a DN listed in "member", can write in
ou=virtualDomain,dc=abcd,dc=com subtree.
You can add and remove values from the entry without touch SLAPD.CONF.
With second method ACL also depend on entries, in a more performant
but less flexible way.
Bye
--------------------------------------------------------
Marco Ferrante (ferrante@unige.it)
CSITA (Centro Servizi Informatici e Telematici d'Ateneo)
Università degli Studi di Genova - Italy
Viale Brigata Salerno - 16147 Genova
tel (+39) 0103532621 (interno tel. 2621)
--------------------------------------------------------